This sounds worse than Drupalgeddon from last year. Total nightmare and don't think your site is too small to get hit.

I had a couple of "abandoned" sites with no traffic running unpatched versions of Drupal and they were hit within a day.

Joomla and Wordpress are junk. They are "free" therefore you give them the right to be owned. Don't use this trash, there is nothing for free in this world. Also they are targeted and always will be targeted because all the freebies use them.

They should close down Word#*$! and Joomla#*$! and stop deceiving people. Of course if you love to be spied on and hacked just use them, this is the price you have to pay for being naive.

They are? I love posts like this, which usually assert that everything is junk except whatever custom-made thing someone has produced using the platform du jour or, even worse, the platform from 10 years ago.

Any website not coded straight in C is junk.

Wordpress, Joomla, Drupal and so are really ecosystems unto themselves. For several years now, the core of those systems are pretty stable and secure, but like Windows they are built to be open, and therefore all manner of junk can be bolted on. But that doesn't make the systems themselves junk (and BTW, I think Windows since Win7 has been pretty damn good and not at all the platform that earned it the buggy reputation that Win95 and Win98 had).

Yes, they've had some bad exploits. But so did OpenSSL and nobody went around saying it was junk.

Most of my 403s come from hackers looking for vulnerability exploits found in Wordpress, Joomla or Drupal. This never seems to stop despite the fact I don't use these CMSs (I just block the exploits to lessen the server load.)

Joomla and Wordpress are junk. They are "free" therefore you give them the right to be owned.

On the whole free software is more secure: Linux or BSD vs Windows etc.

Wordpress and Joomla are just not well designed for security. Drupal 8 will be a lot more secure than Drupal 7 because it is built on a well designed framework.

@ergophobe, Wordpress's security problems may now mostly lie in the plugins (and some themes) but the plugins are the reason Wordpress is worth using for anything other than a blog. The systems may not be junk, but they may not be particularly worth using either.

Unfortunately, another issue/stain on the Joomla history, it happens here more than on other ecosystems. Wp follows, Drupal is not alone but it's rare to find such issues so often. About Drupal, now we have the incoming 8 version and Pressflow (a fork) and I think there was another fork around but can't remember the name.

>>Drupal is not alone but it's rare to find such issues so often.

Drupageddon was a nightmare. That said, because of the way Drupal reviews modules, there are fewer bad security vulnerability in plugins and some changes in both code and procedure (I believe all modules will require full automated tests for the module to be accepted) will make that even less likely in Drupal 8.

>>I think there was another fork around but can't remember the name.

You're probably thinking of Backdrop, which is a true fork, meaning never going back. Pressflow is a few enhancements for performance that were a big deal in D6, less so in D7 because many of the Pressflow innovations became part of D7. Don't know what the D8 future is.

This is the exploit attempt I've been seeing 10x a day for 2 weeks:

"GET /joomla/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(ExtractValue()) HTTP/1.0" 403 1496 "-" "-"

Coming from compromised servers (I assume) across the globe.

there are fewer bad security vulnerability in plugins and some changes in both code and procedure (I believe all modules will require full automated tests for the module to be accepted) will make that even less likely in Drupal 8.

Yes true, it's a good thing. The only collateral disadvantage is, the harder, the less people wants to jump in, and then not so many market options or people wanting to use it. I've been working with Drupal, but at least in my country a lot of people avoid it because it's difficult to hire/replace developers. Still is a price I pay gladly to sleep more comfortable.

Backdrop, yes thanks for the reminder completely forgot about it. About D8, been away from it, my involvement with Symfony affected my view, that doesn't mean D will work like Symfony, it just will be a part of it.

Coming back to Joomla, it's good, I just hope they really do something about security, at least in circles I've seen around it's becoming more and more famous for security vulnerabilities. Around here the Government gave a lot of projects to one company who used Joomla, it was a nightmare to see all the jokes about the sites being hacked. There is a lot of responsibility on the developers and implementation of such sites (not just Joomla) but the sad thing is "stains remain around the brand".

>>my involvement with Symfony affected my view,

It sounds like your view of Symfony is negative? I haven't used it at all.

>>it's difficult to hire/replace developers

I think all of that is true - it's almost as easy to get started as Wordpress, but to be proficient is much harder and getting harder all the time. Most WP "developers" are not even really developers and I'd say most have no idea about version control, unit testing, automated integration testing, automated builds and automated build testing and so on. Yet in the Drupal world it's becoming hard to avoid any of that. It's getting to where the minimum standard for Drupal is, in fact, a fairly high professional standard.

Symfony... regardless of personal taste or my challenges with it, searching and reading all around the web brought far to many unfinished discussions, unsolved answers an abandoned threads, that's not good. Also found too many questions with solutions working 4-6 out of 10. Besides there were easy, pretty easy things taking too many lines to get stuff done.

As for the tradition on Drupal being less tolerant on code, it's something others could learn from and adopt as standards. Sometimes developers want their tools easily adopted, but it comes at the price of not so safe solutions.

I need to stay out of this. Unless a customer demands a CMS, I hard code it (with my team) to be the best it can be FOR THEM with little or no chinks in security.

Yet, I do have to admire some of the bells and whistles in these various (WP, Joomla, Drupal, etc) which we do not provide.... for the reason listed above.

I can only hope the hackers do not go after the Old School method of coding. I pretty sure they could find a way to get "us", too!

Unless a customer demands a CMS, I hard code it

I agree. Most everything I do is hand-coded using unique files names to lessen the probability of an exploit match. I don't even use php contact forms offered by hosting companies, or any other out-of-the-box scripts. If I do use php I use a custom php.ini and write my own code with custom, built-in security.

However, almost every hosting company now offers CMS, often as a 1 click install. This attracts customers. Most web designers will also offer CMS choices. It's the new look in many genres, complete with social tagging. It looks good, it's fictional and customers love it.

The down-side is what we've seen here, and will continue to see. Exploits are found, then patched, then new exploits are found... ad infinitum.

I pretty sure they could find a way to get "us", too!

Agreed. But as you say, unless the site itself is high-value or has a footprint that marks it as exploitable or by random poor luck/skill duplicates an exploit in a major CMS, nobody is going after you.

And if your hard-coded CMS is does not have a pluggable architecture, your attack surface is comparatively small. As often as not, the exploits concern modules/plugins that get turned on by default but which a lot of people don't want to use.

Way back I was also a proponent of custom coded CMS.

Then came to feel like an off-the-shelf app like WP, Drupal or Joomla gave you a huge leg up on dev time.

Lately, I've been feeling that less so if you think of lifetime value.

I have sites that I coded by hand in 2000 (or so) that are still online with no code updates in over ten years. Are the responsive? Of course not. Do they work? Yup. Have they been attacked? Not yet....

But ten years, no maintenance fees, no security fixes, no major version upgrades. Just cheap hosting (because they run on anemic machines because the only do exactly what they were built to do with the min number of queries).

unless the site itself is high-value or has a footprint that marks it as exploitable or by random poor luck/skill duplicates an exploit in a major CMS, nobody is going after you.

Not true. The threat model today is often bot nets of infected servers sending out hundreds of exploit probes to every site it finds, not just "high-value" site. I see it all the time on client's sites.

>>bot nets of infected servers sending

Understood and that's why my comment continues. Clearly, if your OS or version of MySQL or PHP has an inherent exploit, you're as vulnerable as anyone else (Heartbleed, for example). The vast majority of what I see, though, is people requesting specific files with specific parameters. Usually they are targeting some well-known app.

A Drupal site I run was recently brought down by a botnet attack that consisted of massive numbers of requests for a Wordpress file (which needless to say doesn't exist on that server).

So when you have a custom app with filenames that do not overlap with WP, Drupal, Dot Net Nuke, or whatever as you say you do, your attack surface is much reduced. Sure, the botnets are probing you constantly, but you're going to respond to the majority of those requests with a 404. That's what was happening to us, the problem is the attack was so severe we couldn't serve up 404s fast enough and it took down the site. But that's a DDOS attack not an exploit.

However, almost every hosting company now offers CMS, often as a 1 click install. This attracts customers. Most web designers will also offer CMS choices. It's the new look in many genres, complete with social tagging. It looks good, it's fictional and customers love it.

So true, and lots of customers bite it and pay for it, problem is most times it ends up broken. Now the major downside is, this should mean a business opportunity, fixing broken cms installs and hacked websites. Sadly what usually means is people needing a site but having their trust/faith also broken and having spent their budget already. Very few... mean paid work. No disrespect to Joomla, I thought it was going to be (at least in my region) a good business opportunity but it meant a dead end.

Wordpress on the other hand has open new markets around the same: fixing things, the problem is sometimes a 0.01 version change means some ugly plugin stop working, and it's really a pain to work around that on a tight budget while other cms can do it out of the box, or code it yourself.

I have not used Synfony - I looked at it, and it looked pretty good if needed a PHP framework, but I eventually decided I did not need PHP. I assume that good PHP frameworks exist, if Symfony is not it, something else will be.

Almost everything I do is based on a framework. I use Django which has a good security track record, is easy to customise, and is just pluggable enough. Components are usually fairly secure, because the easy way to do things is usually the secure way (e.g. use the ORM which escapes all your queries, forms require CSRF protection by default, it checks the HTTP host headers is correct before returning a page....). All this is well tested and fixes are distributed quickly, so I think it is probably more secure than a hand coded from scratch site.

A framework is a lot more flexible than a CMS: ftp take a trivial example, Wordpress requires (still?) a plugin to change the admin URL, whereas with Django you just edit your urls.py file (which you need to edit anyway). All directories for media and static files are configurable so there is no easily recognisable signature that tells people what software a site is running on. It is safe from low level attacks.

It does nothing out of the box so it takes more work to get a simple site up and running, but you can install a CMS app for it, and it would still be a lot more secure than something like Wordpress, but it is a lot easier to develop for than a CMS, and a LOT easier than hand coding everything from scratch.

>>Wordpress requires (still?) a plugin to change the admin URL

You've touched on a sore point. Example: WP does not allow you to create a custom URL with a / in it. There are some plugins that enable it, but they whack any existing URLs you have. In general, URL handling in Wordpress is abysmal. When I built my own CMS from scratch, full flexibility in URLs and basic abstraction - URL != title != menu etc was essential and this is back in the 1990s...

So to your more general point - a CMS gives you a lot off the shelf. I would say most of it good, but when there's something that's just plain stupid, it is VERY hard to fix.

I would say most of it good, but when there's something that's just plain stupid, it is VERY hard to fix.

For a few of my clients (I came after the fact of their CMS of choice install) it has also proved to be more expensive.

>>proved to be more expensive

I'm sure it has.